apicasso 0.6.4 → 0.6.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5eeaa0a52a601b6fce1ea00f8bf9b236ca60f432ed9f676586a13f8433764d0a
-  data.tar.gz: 426f5dad526ac3c86bd3ea8764c035a26bf801462c6f9de069924157e914547d
+  metadata.gz: d09d0e339bfb17aa767876e5041f749e5154cedb2c327588713a14113d0e00dd
+  data.tar.gz: dd03efe8e6a7a64e4f67cae8e19f2d8be5a0782f10d1f0524114f3071969bbca
 SHA512:
-  metadata.gz: dcd5b7f8a9613413bfb6b9b9e6f342d802e0521f169b85f36bd24198476ac8a1cc0b75e9494703c174f78e1bff73369d9fcc126cbd6ecded961b5610c819bae5
-  data.tar.gz: c993d4f705a331eec2506781ba15a98409bfee179cc93a09d9068d78d5292b1edb4a1eeb20dee4c05bc3bf37e9f0c2398cef964b1f1c5c75a954bf05e01dc97e
+  metadata.gz: a456ef2a8afb8c238f99b693cbd3bf650753fb6c07f6c5e31724cd03e7d5607cb6edfbc67004521e1abcccbf13f80b628ba197fef4876993cfd1c8a4a6f36aae
+  data.tar.gz: 718d3734733cbeee045546495cd5f26985c799257172ca0434df0a7bd7db64e8a165c537ac17d1fda4f0cf8e3f82343bc9f8aa852e3d70958ffe4e4905ab77da

data/README.md

@@ -11,7 +11,7 @@ You can make your own API with only 4 steps:
 ### Step 1
  Create your models
 ### Step 2
- Insert **APIcasso** engine into your routes
+ Insert **APIcasso** engine into your routes and run the installation command
 ### Step 3
  [Create an Apicasso::Key](https://github.com/autoforce/APIcasso#authorization)
 ### Step 4
@@ -36,6 +36,7 @@ $ bundle install && rails g apicasso:install
 
  - PostgreSQL with JSON columns support
  - Ruby 2.3+
+ - Rails 5+
 
 # Usage
 
@@ -90,6 +91,10 @@ And in your `app/controllers/custom_controller.rb` you would have something like
 
 This way you enjoy all our object finder, authorization and authentication features, making your job more straight into your business logic.
 
+## CORS
+
+APIcasso comes with a permissive CORS configuration out of the box. But you can make your own by editting the `config/initializers/apicasso.rb` file, which is created at the installation proccess. The file comes with some descriptive comments and all configuration is based on [Rack CORS](https://github.com/cyu/rack-cors) options.
+
 ## Authentication
 
 > But exposing my models to the internet is permissive as hell! Haven't you thought about security?
@@ -223,7 +228,6 @@ Bug reports and pull requests are welcome on GitHub at https://github.com/Ervalh
 ### TODO
 
 - Add support to other databases
-- [Abstract a configurable CORS approach, maybe using middleware](https://github.com/autoforce/APIcasso/issues/22)
 - Add gem options like: Token rotation, Alternative authentication methods
 - Refine and document auto-documentation feature
 - Rate limiting

data/app/controllers/apicasso/application_controller.rb

@@ -60,91 +60,13 @@ module Apicasso
     def response_metadata
       {
         status: response.status,
-        body: (response.body.present? ? JSON.parse(response.body) : '')
+        body: parsed_response
       }
     end
 
-    # Reutrns root_resource if nested_resource is not set scoped by permissions
-    def resource
-      (@nested_resource || @root_resource)
-    end
-
-    # A method to extract all assosciations available
-    def associations_array
-      resource.reflect_on_all_associations.map { |association| association.name.to_s }
-    end
-
-    # Used to avoid errors parsing the search query, which can be passed as
-    # a JSON or as a key-value param. JSON is preferred because it generates
-    # shorter URLs on GET parameters.
-    def parsed_query
-      JSON.parse(params[:q])
-    rescue JSON::ParserError, TypeError
-      params[:q]
-    end
-
-    # Used to avoid errors in included associations parsing and to enable a
-    # insertion point for a change on splitting method.
-    def parsed_associations
-      params[:include].split(',').map do |param|
-        if @object.respond_to?(param)
-          param if associations_array.include?(param)
-        end
-      end.compact
-    rescue NoMethodError
-      []
-    end
-
-    # Used to avoid errors in included associations parsing and to enable a
-    # insertion point for a change on splitting method.
-    def parsed_methods
-      params[:include].split(',').map do |param|
-        if @object.respond_to?(param)
-          param unless associations_array.include?(param)
-        end
-      end.compact
-    rescue NoMethodError
-      []
-    end
-
-    # Used to avoid errors in fieldset selection parsing and to enable a
-    # insertion point for a change on splitting method.
-    def parsed_select
-      params[:select].split(',').map do |field|
-        field if resource.column_names.include?(field)
-      end
-    rescue NoMethodError
-      []
-    end
-
-    # Receives a `.paginate`d collection and returns the pagination
-    # metadata to be merged into response
-    def pagination_metadata_for(records)
-      { total: records.total_entries,
-        total_pages: records.total_pages,
-        last_page: records.next_page.blank?,
-        previous_page: previous_link_for(records),
-        next_page: next_link_for(records),
-        out_of_bounds: records.out_of_bounds?,
-        offset: records.offset }
-    end
-
-    # Generates a contextualized URL of the next page for the request
-    def next_link_for(records)
-      uri = URI.parse(request.original_url)
-      query = Rack::Utils.parse_query(uri.query)
-      query['page'] = records.next_page
-      uri.query = Rack::Utils.build_query(query)
-      uri.to_s
-    end
-
-    # Generates a contextualized URL of the previous page for the request
-    def previous_link_for(records)
-      uri = URI.parse(request.original_url)
-      query = Rack::Utils.parse_query(uri.query)
-      query['page'] = records.previous_page
-      uri.query = Rack::Utils.build_query(query)
-      uri.to_s
+    # Parsed response to save as metadata for the requests
+    def parsed_response
+      (response.body.present? ? JSON.parse(response.body) : '')
     end
 
     # Receives a `:action, :resource, :object` hash to validate authorization

data/app/controllers/apicasso/crud_controller.rb

@@ -8,6 +8,7 @@ module Apicasso
     before_action :set_nested_resource, only: %i[nested_index]
     before_action :set_records, only: %i[index nested_index]
     include SqlSecurity
+    include CrudUtils
     include Orderable
     # GET /:resource
     # Returns a paginated, ordered and filtered query based response.
@@ -90,10 +91,6 @@ module Apicasso
       authorize! action_to_cancancan, @object
     end
 
-    def action_to_cancancan
-      action_name == 'nested_index' ? :index : action_name.to_sym
-    end
-
     # Used to setup the resource's schema, mapping attributes and it's types
     def resource_schema
       schemated = {}
@@ -169,12 +166,6 @@ module Apicasso
         total: @records.size }
     end
 
-    # Parse to include options
-    def include_options
-      { include: parsed_associations || [],
-        methods: parsed_methods || [] }
-    end
-
     # Parsed JSON to be used as response payload, with included relations
     def include_relations
       @records = @records.includes(parsed_associations)
@@ -196,41 +187,6 @@ module Apicasso
             .permit(resource_params)
     end
 
-    # Resource params mapping, with a twist:
-    # Including relations as they are needed
-    def resource_params
-      built = resource_schema.keys
-      built += has_one_params if has_one_params.present?
-      built += has_many_params if has_many_params.present?
-      built
-    end
-
-    # A wrapper to has_one relations parameter building
-    def has_one_params
-      resource.reflect_on_all_associations(:has_one).map do |one|
-        if one.class_name.starts_with?('ActiveStorage')
-          next if one.class_name.ends_with?('Blob')
-
-          one.name.to_s.gsub(/(_attachment)$/, '').to_sym
-        else
-          one.name
-        end
-      end.compact
-    end
-
-    # A wrapper to has_many parameter building
-    def has_many_params
-      resource.reflect_on_all_associations(:has_many).map do |many|
-        if many.class_name.starts_with?('ActiveStorage')
-          next if many.class_name.ends_with?('Blob')
-
-          { many.name.to_s.gsub(/(_attachments)$/, '').to_sym => [] }
-        else
-          { many.name.to_sym => [] }
-        end
-      end.compact
-    end
-
     # Common setup to stablish which model is the resource of this request
     def set_root_resource
       @root_resource = params[:resource].classify.constantize

data/app/controllers/concerns/crud_utils.rb

@@ -0,0 +1,139 @@
+# frozen_string_literal: true
+
+# Module to extract utilities used on CRUD controllers.
+# It makes it easier to parse parameters, proccess requests
+# and build rich responses.
+module CrudUtils
+  extend ActiveSupport::Concern
+
+  # Reutrns root_resource if nested_resource is not set scoped by permissions
+  def resource
+    (@nested_resource || @root_resource)
+  end
+
+  # A method to extract all assosciations available
+  def associations_array
+    resource.reflect_on_all_associations.map { |association| association.name.to_s }
+  end
+
+  # An parser to the action name so that nested_index has the same
+  # authorization behavior as index
+  def action_to_cancancan
+    action_name == 'nested_index' ? :index : action_name.to_sym
+  end
+
+  # Resource params mapping, with a twist:
+  # Including relations as they are needed
+  def resource_params
+    built = resource_schema.keys
+    built += has_one_params if has_one_params.present?
+    built += has_many_params if has_many_params.present?
+    built
+  end
+
+  # A wrapper to has_one relations parameter building
+  def has_one_params
+    resource.reflect_on_all_associations(:has_one).map do |one|
+      if one.class_name.starts_with?('ActiveStorage')
+        next if one.class_name.ends_with?('Blob')
+
+        one.name.to_s.gsub(/(_attachment)$/, '').to_sym
+      else
+        one.name
+      end
+    end.compact
+  end
+
+  # A wrapper to has_many parameter building
+  def has_many_params
+    resource.reflect_on_all_associations(:has_many).map do |many|
+      if many.class_name.starts_with?('ActiveStorage')
+        next if many.class_name.ends_with?('Blob')
+
+        { many.name.to_s.gsub(/(_attachments)$/, '').to_sym => [] }
+      else
+        { many.name.to_sym => [] }
+      end
+    end.compact
+  end
+
+  # Parse to include options
+  def include_options
+    { include: parsed_associations || [],
+      methods: parsed_methods || [] }
+  end
+
+  # Used to avoid errors parsing the search query, which can be passed as
+  # a JSON or as a key-value param. JSON is preferred because it generates
+  # shorter URLs on GET parameters.
+  def parsed_query
+    JSON.parse(params[:q])
+  rescue JSON::ParserError, TypeError
+    params[:q]
+  end
+
+  # Used to avoid errors in included associations parsing and to enable a
+  # insertion point for a change on splitting method.
+  def parsed_associations
+    params[:include].split(',').map do |param|
+      if @object.respond_to?(param)
+        param if associations_array.include?(param)
+      end
+    end.compact
+  rescue NoMethodError
+    []
+  end
+
+  # Used to avoid errors in included associations parsing and to enable a
+  # insertion point for a change on splitting method.
+  def parsed_methods
+    params[:include].split(',').map do |param|
+      if @object.respond_to?(param)
+        param unless associations_array.include?(param)
+      end
+    end.compact
+  rescue NoMethodError
+    []
+  end
+
+  # Used to avoid errors in fieldset selection parsing and to enable a
+  # insertion point for a change on splitting method.
+  def parsed_select
+    params[:select].split(',').map do |field|
+      field if resource.column_names.include?(field)
+    end
+  rescue NoMethodError
+    []
+  end
+
+  # Receives a `.paginate`d collection and returns the pagination
+  # metadata to be merged into response
+  def pagination_metadata_for(records)
+    { total: records.total_entries,
+      total_pages: records.total_pages,
+      last_page: records.next_page.blank?,
+      previous_page: previous_link_for(records),
+      next_page: next_link_for(records),
+      out_of_bounds: records.out_of_bounds?,
+      offset: records.offset }
+  end
+
+  # Generates a contextualized URL of the next page for the request
+  def next_link_for(records)
+    page_link(records, page: 'next')
+  end
+
+  # Generates a contextualized URL of the previous page for the request
+  def previous_link_for(records)
+    page_link(records, page: 'previous')
+  end
+
+  # Common pagination link generation helper
+  def page_link(records, opts = {})
+    uri = URI.parse(request.original_url)
+    query = Rack::Utils.parse_query(uri.query)
+    query['page'] = records.send("#{opts[:page]}_page")
+    uri.query = Rack::Utils.build_query(query)
+    uri.to_s
+  end
+end

data/app/controllers/concerns/sql_security.rb

@@ -46,12 +46,13 @@ module SqlSecurity
 
   # Check for a bad request to be more secure
   def klasses_allowed
-    raise ActionController::BadRequest.new('Bad hacker, stop be bully or I will tell to your mom!') unless descendants_included?
+    raise ActionController::BadRequest.new('Bad hacker, stop be bully or I will tell to your mom!') unless safe_resource?
   end
 
-  # Check if it's a descendant model allowed
-  def descendants_included?
-    DESCENDANTS_UNDERSCORED.include?(param_attribute.to_s.underscore)
+  # Check if it's safe to use the requet
+  def safe_resource?
+    controller_name == representative_resource ||
+      DESCENDANTS_UNDERSCORED.include?(param_attribute.to_s.underscore)
   end
 
   # Get param to be compared

data/lib/apicasso/version.rb

@@ -1,3 +1,7 @@
+# frozen_string_literal: true
+
+# A Module to rule them all...
 module Apicasso
-  VERSION = '0.6.4'.freeze
+  # Current gem version
+  VERSION = '0.6.5'.freeze
 end